Student File Management System
CVE-2025-15205
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in code-projects Student File Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /download.php. The manipulation of the argument istore_id leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
AnalysisAI
SQL injection in Student File Management System 1.0 via the istore_id parameter in /download.php allows authenticated remote attackers to execute arbitrary SQL queries with limited information disclosure impact. The vulnerability requires valid user credentials (PR:L) and has a CVSS score of 2.1 with EPSS exploitation probability of 0.04%, indicating low real-world risk despite public exploit availability.
Technical ContextAI
The vulnerability exists in the PHP file /download.php, where user-supplied input from the istore_id parameter is not properly sanitized before being incorporated into a SQL query. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) describes the root cause - the application fails to escape or parameterize SQL input, allowing attackers to inject malicious SQL syntax. The affected product is a student file management system developed by Fabian, running on PHP with a web-accessible download endpoint.
RemediationAI
Update Student File Management System to a patched version if available from the vendor at code-projects.org; no specific patch version is currently identified in public advisories. As an immediate compensating control, implement parameterized SQL queries (prepared statements) in /download.php to neutralize the istore_id parameter, or apply input validation to reject istore_id values containing SQL metacharacters (quote marks, semicolons, dashes, etc.). Restrict access to /download.php to authenticated users only (already in place per CVSS PR:L) and additionally implement database user permission restrictions to limit SELECT-only access where possible. Monitor application logs for SQL error messages or unusual query patterns in download requests. Contact Fabian (code-projects.org) for an official security patch or workaround if available.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today